diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c index 31e83062615f..595211252773 100644 --- a/sys/netinet/igmp.c +++ b/sys/netinet/igmp.c @@ -183,6 +183,11 @@ static int vnet_igmp_idetach(const void *); * VIMAGE: Each in_multi corresponds to an ifp, and each ifp corresponds * to a vnet in ifp->if_vnet. * + * SMPng: XXX We may potentially race operations on ifma_protospec. + * The problem is that we currently lack a clean way of taking the + * IF_ADDR_LOCK() between the ifnet and in layers w/o recursing, + * as anything which modifies ifma needs to be covered by that lock. + * So check for ifma_protospec being NULL before proceeding. */ struct mtx igmp_mtx; int mpsafe_igmp = 0; @@ -601,6 +606,7 @@ out: * is detached, but also before the link layer does its cleanup. * * SMPNG: igmp_ifdetach() needs to take IF_ADDR_LOCK(). + * XXX This is also bitten by unlocked ifma_protospec access. * * VIMAGE: curvnet should have been set by caller, but let's not assume * that for now. @@ -623,8 +629,13 @@ igmp_ifdetach(struct ifnet *ifp) if (igi->igi_version == IGMP_VERSION_3) { IF_ADDR_LOCK(ifp); TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) { - if (ifma->ifma_addr->sa_family != AF_INET) + if (ifma->ifma_addr->sa_family != AF_INET || + ifma->ifma_protospec == NULL) continue; +#if 0 + KASSERT(ifma->ifma_protospec != NULL, + ("%s: ifma_protospec is NULL", __func__)); +#endif inm = (struct in_multi *)ifma->ifma_protospec; if (inm->inm_state == IGMP_LEAVING_MEMBER) { SLIST_INSERT_HEAD(&igi->igi_relinmhead, @@ -783,7 +794,8 @@ igmp_input_v1_query(struct ifnet *ifp, const struct ip *ip) */ IF_ADDR_LOCK(ifp); TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) { - if (ifma->ifma_addr->sa_family != AF_INET) + if (ifma->ifma_addr->sa_family != AF_INET || + ifma->ifma_protospec == NULL) continue; inm = (struct in_multi *)ifma->ifma_protospec; if (inm->inm_timer != 0) @@ -880,7 +892,8 @@ igmp_input_v2_query(struct ifnet *ifp, const struct ip *ip, IF_ADDR_LOCK(ifp); TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) { - if (ifma->ifma_addr->sa_family != AF_INET) + if (ifma->ifma_addr->sa_family != AF_INET || + ifma->ifma_protospec == NULL) continue; inm = (struct in_multi *)ifma->ifma_protospec; igmp_v2_update_group(inm, timer); @@ -1701,7 +1714,8 @@ igmp_fasttimo_vnet(void) IF_ADDR_LOCK(ifp); TAILQ_FOREACH_SAFE(ifma, &ifp->if_multiaddrs, ifma_link, tifma) { - if (ifma->ifma_addr->sa_family != AF_INET) + if (ifma->ifma_addr->sa_family != AF_INET || + ifma->ifma_protospec == NULL) continue; inm = (struct in_multi *)ifma->ifma_protospec; switch (igi->igi_version) { @@ -3311,7 +3325,8 @@ igmp_v3_dispatch_general_query(struct igmp_ifinfo *igi) IF_ADDR_LOCK(ifp); TAILQ_FOREACH_SAFE(ifma, &ifp->if_multiaddrs, ifma_link, tifma) { - if (ifma->ifma_addr->sa_family != AF_INET) + if (ifma->ifma_addr->sa_family != AF_INET || + ifma->ifma_protospec == NULL) continue; inm = (struct in_multi *)ifma->ifma_protospec; diff --git a/sys/netinet/in.c b/sys/netinet/in.c index 1927b5c116f6..1423e8183ef3 100644 --- a/sys/netinet/in.c +++ b/sys/netinet/in.c @@ -1011,6 +1011,8 @@ in_ifdetach(struct ifnet *ifp) * Delete all IPv4 multicast address records, and associated link-layer * multicast address records, associated with ifp. * XXX It looks like domifdetach runs AFTER the link layer cleanup. + * XXX This should not race with ifma_protospec being set during + * a new allocation, if it does, we have bigger problems. */ static void in_purgemaddrs(struct ifnet *ifp) @@ -1031,8 +1033,13 @@ in_purgemaddrs(struct ifnet *ifp) */ IF_ADDR_LOCK(ifp); TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) { - if (ifma->ifma_addr->sa_family != AF_INET) + if (ifma->ifma_addr->sa_family != AF_INET || + ifma->ifma_protospec == NULL) continue; +#if 0 + KASSERT(ifma->ifma_protospec != NULL, + ("%s: ifma_protospec is NULL", __func__)); +#endif inm = (struct in_multi *)ifma->ifma_protospec; LIST_INSERT_HEAD(&purgeinms, inm, inm_link); } diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index e91a5bf2636f..9918c9527c0f 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -432,6 +432,9 @@ in_getmulti(struct ifnet *ifp, const struct in_addr *group, if (error != 0) return (error); + /* XXX ifma_protospec must be covered by IF_ADDR_LOCK */ + IF_ADDR_LOCK(ifp); + /* * If something other than netinet is occupying the link-layer * group, print a meaningful error message and back out of @@ -454,9 +457,12 @@ in_getmulti(struct ifnet *ifp, const struct in_addr *group, #endif ++inm->inm_refcount; *pinm = inm; + IF_ADDR_UNLOCK(ifp); return (0); } + IF_ADDR_LOCK_ASSERT(ifp); + /* * A new in_multi record is needed; allocate and initialize it. * We DO NOT perform an IGMP join as the in_ layer may need to @@ -467,6 +473,7 @@ in_getmulti(struct ifnet *ifp, const struct in_addr *group, inm = malloc(sizeof(*inm), M_IPMADDR, M_NOWAIT | M_ZERO); if (inm == NULL) { if_delmulti_ifma(ifma); + IF_ADDR_UNLOCK(ifp); return (ENOMEM); } inm->inm_addr = *group; @@ -489,6 +496,7 @@ in_getmulti(struct ifnet *ifp, const struct in_addr *group, *pinm = inm; + IF_ADDR_UNLOCK(ifp); return (0); } @@ -522,6 +530,7 @@ inm_release_locked(struct in_multi *inm) ifma = inm->inm_ifma; + /* XXX this access is not covered by IF_ADDR_LOCK */ CTR2(KTR_IGMPV3, "%s: purging ifma %p", __func__, ifma); KASSERT(ifma->ifma_protospec == inm, ("%s: ifma_protospec != inm", __func__));